Topics menu

You are here:

Privacy obligations under PIPEDA apply to financial technology sector

Early Resolved case summary #2017-001

July 25, 2017

Lessons Learned

While the financial technology (FinTech) sector is relatively new, this case summary is an example of how PIPEDA can and does apply to this emerging sector, and how the OPC’s early resolution process can play a role in effectively and efficiently resolving disputes in a manner that is both beneficial to a FinTech company and an individual.

The purposes for which organizations collect, use and disclose personal information have to be identified at or before the time of collection with the goal of informing an individual of the privacy implications of their decisions before they decide to proceed.

Complaint summary

The complainant visited the website of a FinTech organization with the intention of opening a financial investment account online. In general, a FinTech company is a technology driven company that provides online and digital financial services. In order to simply obtain the company’s investment account management agreement, the complainant had to first provide his personal information, some of which was sensitive. Once he disclosed his personal information, he was then able to access the company’s management agreement and review its terms and conditions, to determine whether or not he wanted to open an account with the company. After reviewing the agreement, the complainant decided not to open an account.

The complainant contacted the company to express his concern about the collection of his personal information and asked that the information be deleted since he had chosen not to become a client. He received a response from the company, citing “regulatory requirements” for the collection of personal information. Dissatisfied with the response, the complainant filed a complaint with the OPC.

Outcome

Our Office contacted the organization, which explained its collection of personal information for regulatory requirements. While our Office acknowledged that there are regulatory requirements for the collection of certain personal information for specific purposes, this would be the case once an individual becomes a client, and not before. The organization was advised that its website required revision so that prospective clients can review its management agreement, without having to first provide personal information, in order to be made aware of the privacy implications of their decision to proceed and to be able to provide meaningful and valid consent. As a result, the organization agreed to revise its website and Privacy Policy accordingly.

The complainant was pleased with the outcome and considered the matter early resolved.